Preconfiguring FireSIGHT System Appliances
You can preconfigure your appliance (Defense Center or device) at a staging location (a central location to preconfigure or stage multiple appliances) to be deployed at a target location (any location other than the staging location).
To preconfigure and deploy an appliance to a target location, perform the following steps:
- install the system on the device at the staging location
- optionally, register the device to a Defense Center
- optionally, push any updates from the managing Defense Center to the device
- optionally, unregister the device from the Defense Center
- shut down and ship the appliance to the target location
- deploy the appliances in the target locations
See the following sections for more information:
Tip Save all packing materials and include all reference material and power cords when repackaging the appliance.
Before You Begin
Before preconfiguring the appliance, collect the network settings, licenses, and other pertinent information for the staging location and the target location.
Tip It can be helpful to create a spreadsheet to manage this information at the staging location and the target location.
During the initial setup, you configure your appliance with enough information to connect the appliance to the network and install the system. Optionally, you can connect a device to a Defense Center to push any updates from the Defense Center to the device. You can also enable other features that are not required for initial setup but can be useful to preconfigure. See the following sections for more information:
Required Preconfiguration Information
At a minimum, you need the following information to preconfigure your appliance:
- the new password (initial setup requires changing the password)
- the hostname of the appliance
- the domain name of the appliance
- the IP management address of the appliance
- the network mask of the appliance at the target location
- the default gateway of the appliance at the target location
- the IP address of the DNS server at the staging location, or, if accessible, the target location
- the IP address of the NTP server at the staging location, or, if accessible, the target location
- the detection mode for the target location
Optional Preconfiguration Information
You can change some default configurations, such as:
- allow access to the LCD panel to configure your device (Series 3 managed devices only)
- set the time zone if you choose to manually set the time for your appliances
- set the remote storage location for automatic backups
- set the Lights-Out Management (LOM) IP address on a Series 3 device to enable LOM on the device
Note In some power cycle scenarios, the baseboard management controller (BMC) of a 3D7050 connected to the network via the management interface could lose the IP address assigned to it by the DHCP server. Because of this, Cisco recommends you configure the 3D7050 BMC with a static IP address. Alternately, you can disconnect the network cable and reconnect it, or remove and restore power to the device to force renegotiation of the link.
If you want to register a device to a Defense Center, you need the following information:
- the name or IP address of the managed device
- the name of the management host (the Defense Center)
- the registration key (a personally created unique alphanumeric key up to 37 characters in length)
Preconfiguring Time Management
Keep in mind the following considerations:
- Cisco recommends that you synchronize time to a physical NTP server. Do not synchronize managed devices to a virtual Defense Center. Performance optimization on a virtual appliance can affect the real time clock.
- If the network at your staging location can access the DNS and NTP servers at the target location, use the IP addresses for the DNS and NTP servers at the target location. If not, use the staging location information and reset at the target location.
- Use the time zone for the target deployment if you set the time on the appliance to the manually instead of using NTP. See Time Settings.
Installing the System
Use the installation procedures described in Installing a FireSIGHT System Appliance and Setting Up a FireSIGHT System Appliance. When preconfiguring the system, keep the following in mind:
- On Series 3 devices, if you allow access to the device’s network settings using the LCD panel, you introduce a security risk where unauthorized changes can be made by physically accessing the device. See Series 3 Device LCD Panel Configuration.
- Pre-register a device using the host name or IP address of the Defense Center in the target deployment. Note the registration key for later in completing the registration. See Remote Management.
- If you change the default detection mode, be sure to notify the appropriate personnel at the target deployment. Configuring interfaces differently from the detection mode can cause the system to incorrectly assign interfaces. See Detection Mode.
- If you need to configure Network Address Translation (NAT) for your device, provide the NAT ID of the device when registering the device using either the CLI on the device (Series 3 devices only) or the web interface on its managing Defense Center. See Registering a Series 3 Device to a Defense Center Using the CLI and Working In NAT Environments in the FireSIGHT System User Guide .
- Add licenses during the initial setup. If you do not add licenses at that time, any devices you register during initial setup are added to the Defense Center as unlicensed; you must license each of them individually after the initial setup process is over. See License Settings.
Registering a Device
You can register a device to a Defense Center to push policies and updates to the managed device if your Defense Center is running a software version equal to or greater than the software version on the device.
Note If you deploy the Defense Center and its managed device in different target locations, you must delete the device from the Defense Center before shutting down the appliances. See Deleting Devices from a Defense Center.
To register a device to a Defense Center:
Step 1 On the device, configure remote management using the host name or IP address of the Defense Center in the target deployment. Note the registration key for later use in completing the registration. See Remote Management .
Note You must configure remote management on the device before you can register the device to a Defense Center.
Step 2 On the Defense Center, register the device using the registration information from your remote management configuration. See Device Registration.
Preparing the Appliance for Shipment
To prepare the appliance for shipment, you must safely power down and repackage the appliance:
Deleting Devices from a Defense Center
Unless you deploy the Defense Center and its managed device at the same target location, you must delete the device from the Defense Center. This prevents the device from looking for the UUID of the original Defense Center when you register the device to a different Defense Center at the target location.
To delete a device from the Defense Center:
Step 1 On the Defense Center, Select Devices > Device Management.
The Device Management page appears.
Step 2 Next to the device you want to delete, click the delete icon ( ).
When prompted, confirm that you want to delete the device. Communication between the device and the Defense Center is discontinued and the device is deleted from the Device Management page. If the device has a system policy that causes it to receive time from the Defense Center via NTP, the device reverts to local time management.
After deleting the device from the Defense Center, verify that the device is not remotely managed by the Defense Center.
To verify that a device is not managed by a Defense Center:
Step 1 On the managed device, you can use either the web interface or the CLI:
- On the web interface of the managed device, go to System > Local > Registration > Remote Management and confirm that the Host list on the Remote Management screen is empty.
- On the CLI of the managed device, run the command
show manager and confirm that no host is displayed.
Deleting a License from a Defense Center
Use the following procedure if you need to delete a license for any reason. Keep in mind that, because Cisco generates licenses based on each Defense Center’s unique license key, you cannot delete a license from one Defense Center and reuse it on a different Defense Center. For more information, see See Licensing the FireSIGHT System in the FireSIGHT System User Guide .
To delete a license:
Step 1 Select Systems > Licenses.
The License page appears.
Step 2 Next to the license you want to delete, click the delete icon ( ).
Deleting a license removes the licensed capability from all devices using that license. For example, if your Protection license is valid and enabled for 100 managed devices, deleting the license removes protection capabilities from all 100 devices.
Step 3 Confirm that you want to delete the license.
The license is deleted.
Powering Down the Appliance
Use the following procedures to power down the appliance safely before disconnecting the power supply.
To power down a Defense Center:
Step 1 On the Defense Center, enter the following at the command line:
sudo shutdown -h now
The Defense Center shuts down safely.
To power down a managed device:
Step 1 On the device, enter the following at the command line:
The device shuts down safely.
To prepare the appliance for shipment to the target location, you must safely power down and repackage the appliance. Keep in mind the following considerations:
- Use the original packaging to repack the appliance.
- Include all reference material and power cords with the appliance.
- Protect the NetMods and SFPs from damage caused by improper handling or undue pressure.
- Provide all setting and configuration information to the target location, including the new password and the detection mode.
Troubleshooting the Appliance Preconfiguration
If your appliance is correctly preconfigured for target deployment, you can install and deploy the appliance without further configuration.
If you have difficulty logging into the appliance, the preconfiguration may have an error. Try the following troubleshooting procedures:
- Confirm that all power cables and communication cables are connected properly to the appliance.
- Confirm that you have the current password for your appliance. The initial setup at the staging location prompts you to change your password. See the configuration information provided by the staging location for the new password.
- Confirm that the network settings are correct. See Initial Setup Page: Devices and Initial Setup Page: Defense Centers.
- Confirm that the correct communication ports are functioning properly. See the documentation for your firewall for information on managing firewall ports. See Communication Ports Requirements for required open ports.
- If you use a Network Address Translation (NAT) appliance in your deployment, confirm that NAT is configured correctly. See Working in NAT Environments in the FireSIGHT System User Guide .
If you continue to experience difficulty, contact your IT department.